Security is now a key part of most board-level conversations, though many top executives lack the security expertise to fully understand this next generation of threats, how to detect them or how to respond. But times are changing. In 2017, the World Economic Forum released Advancing Cyber Resilience, a set of security guidelines for board members.
In fact, insurance leaders can take immediate steps to manage the risks their companies face by asking these questions:
1. How can we address the increasing business risks associated with cyber security incidents?
Yesterday’s security approach focused primarily on investing in perimeter protection, compliance and core infrastructure monitoring. It was a fortress-type model. In recent ransomware attacks such WannaCry and Petya/NotPetya, the malware spread quickly from within an enterprise, moving from country to country, eventually affecting more than 400,000 computers worldwide. Even well-patched and endpoint-protected enterprises were vulnerable, as there was no antivirus or anti-malware defence.
The best response for an insurance company to such an attack is to be prepared. Periodic security assessments are key to the success of the programme. For example, defence against the recent ransomware attacks would have been aided by periodic penetration testing of internet access points. Better awareness of social engineering threats could have increased employee vigilance to phishing attacks.
It is also important to assess your ability to detect and respond. Attacks spread quickly. You cannot wait to plan your response at the first sign of an incident. Make sure you have a fully tested response plan in place to mitigate this risk. When an incident occurs, all stakeholders, employees and partners should know exactly what they need to do.
Attack simulations assist with preparation, as do practising business continuity plans. Insurers are experts at risk, but risk management plans should also include the potential impact of malware and ransomware attacks, and wider data loss affecting sensitive customer data. Hackers are known to hold stolen information for ransom, so it is important that every organisation has a clear policy and strategy for any negotiation.
2. How can security and compliance work more closely together?
Security and compliance ultimately serve the same purpose: to protect the enterprise. The difference is simply in why insurers need these functions. Compliance is something you are required to do. Security is something you need to do.
Concerns over customer privacy, however, are underscoring the need for both. While many countries in Asia have historically lagged behind Europe in privacy rights, new rules from the European Union (EU) going into effect in May 2018 are expected to have sweeping effects throughout the world. The EU’s General Data Protection Regulation (GDPR) ensures customers’ rights to control who accesses their data and shopping profiles, how long data can be stored, when it needs to be erased, and who’s notified in case of a breach.
GDPR is similar to Japan’s opt-in privacy laws that went into effect in 2017. However, Japanese consumers are still sceptical about privacy. A 2017 online poll by Rakuten AIP found that fewer than one-fifth (18%) of consumers are confident their information held by companies will not be stolen.
On the brighter side, improving consumer confidence presents an opportunity for companies to build trust online and drive demand for cyber insurance.
Regardless of new regulations, customer privacy should be a board-level conversation. Instead of viewing data protection as just another mandated compliance activity, insurers should view it as a way to gain trust with policyholders, improve the overall management of data and eliminate storage duplication.
In fact, a recent DXC Technology study found that up to 40% of an enterprise’s data is duplicated or unnecessary. A comprehensive approach to data and security will help eliminate data silos across the enterprise, ensure standard policies and drive better outcomes through accurate analytics.
3. How can we manage risks as we adopt more digital business models such as cloud, mobility, the internet of things (IoT) and analytics?
Many insurance companies in 2017 find that their complexity and scale are increasing and their digital transformation demands are growing, while their security design remains stuck in the old model of primarily perimeter-based prevention.
Companies are now using cloud environments for multiple business solutions, ranging from cloud storage to specialised software-as-a-service tools for analytics, claims assessment and even HR and accounting. Technologies such as mobile applications and IoT-enabled devices are adding new layers of functionality but also increasing the number of threat surfaces to protect.
These environments need added systems management and security monitoring to prevent key data from leaking outside the organisation. There are multiple solutions to address identity, data loss prevention and compliance reporting, but many companies do not have the in-house experience to address these needs.
As an organisation extends beyond its existing capabilities, it makes sense to partner with outside experts for global threat intelligence and 24x7 monitoring and incident response capabilities.
By partnering with a team that is designed to act quickly, your company will be prepared to deal with many of the common challenges associated with a cyber security incident, such as a sudden need to contain the malware and then remediate or execute a forensic analysis of how the malware was introduced into the environment. This is also an opportunity to move your security costs to an on-demand, as-a-service model.
4. How does the cyber risk team work with the organisation’s broader enterprise risk function?
Many insurance organisations have still not taken the step of elevating security to the C-suite. In fact, in March 2017, regulators in India required all insurers (except those founded in the past three years) to appoint a Chief Information Security Officer (CISO) responsible for articulating and enforcing the policies to protect information assets. Duties include data, applications, operating systems, network layers, security audits and legal requirements for cyber security.
A growing responsibility of the CISO is communication within the organisation, between partners and supply chains, and with industry organisations. This has become more important as cyber criminals continue to extend their reach and capabilities.
Within your organisation, the enterprise risk, cyber risk and compliance functions must be connected and speak the same language. This helps create a clearer picture of business context and how cyber risk translates into business impact. More importantly, it ensures these functions are not all competing with one another for attention and investment money.
By answering these questions, an insurance company can begin a dialogue to launch security improvements and increase focus on disciplined and planned risk management. However, to ingrain more stringent cyber security practices into the organisation’s culture, insurers need their IT security executives to deliver answers in common business language – not security technobabble.
Clear progress reports should be agreed upon by all stakeholders and communicated throughout the organisation. Employees and applications continue to be the No. 1 entry point for cyber attacks. The best way to combat this is to keep cyber security top of mind, clearly understood by all and debated in the normal course of business. A
Mr Chris Moyer is Chief Technology Officer for Security at DXC Technology, one of the world’s leading providers of security advisory and managed security services. He helps customers in multiple industries increase their cyber resilience. He has spent more than 25 years building business and technology solutions for clients across the globe. Mr Moyer is a member of the Institute of Electrical and Electronics Engineers. Connect with him on Twitter